Compliance and security budgets follow the risks.
Operational risks are hard to measure, but companies have their own historical data on losses, and can create models of probability and therefore future expected losses for given risks. In this way, they can compare the expected losses across their risk portfolio and allocated budget appropriately. Information sharing would improve this, but it's not happening.
Cybersecurity teams have long resisted this type of analysis, portraying cyberrisk as 'different', 'existential', and therefore not subject to normal risk pricing.
Boards, faced with other more pressing operational threats (such as political and economic upheaval, digital disruption, and massively increasing competition) do not agree. But they do agree that things are changing.
GDPR fines have added another variable into the mix. It's not just the size of the penalties proposed or handed out to Google, British Airways and Marriott that's changing senior management thinking. It's the realisation that the largest fines are, and will likely continue to be, related not to data breaches and pure security issues, but privacy issues around data that has not necessarily been compromised in a security sense.
So while in the US the penalties for poor cybersecurity can be huge (driven by governmental penalties, class action lawsuits, and shareholder action), and in Asia data privacy and security are still in their infancy, in Europe it seems likely that data privacy will take a larger portion of the budget than cybersecurity.
So what does this mean for cybersecurity professionals? And what does it mean more generally for information and data protection and integrity?
Because privacy and security overlap, and because they (and data centralisation and visibility) are critical to digital transformation, it seems about time that the silos in data management be removed.
Companies need a holistic approach to their entire data management process. They need an aggregated approach to compliance, privacy and security. They need to apply standard operational risk modelling and budgeting to these activities. And they need new management and staffing structures to implement these changes.
CISOs, other senior cybersecurity professionals, and vendors too: the times they are a-changing.
|DATE||January 28, 2020|
|WEBSITE||Click here to visit event website.|